1. Introduction
The SM3 password hash algorithm is China's commercial password hash algorithm standard announced by the State Cryptozoology Administration of China in 2010. Suitable for digital signatures and verification in commercial cryptographic applications.
SM3 is an algorithm improved on the basis of [SHA-256], and its security is equivalent to SHA-256. The iterative processes of SM3 and MD5 are similar and also use the Merkle-Damgard structure. The message packet length is 512 bits and the digest value length is 256 bits.
The entire algorithm execution process is divided into four steps: message filling, message expansion, iterative compression, and output results.
2. SM3 algorithm steps
1. Message filling
The message expansion step of SM3 takes a 512-bit data packet as input. Therefore, we need to pad the data length to a multiple of 512 bits at the beginning. The data filling rules are the same as MD5. The specific steps are as follows:
- First fill in a "1", followed by k "0"s. where k satisfies ( n + 1 + k ) mod 512 = 448 (n+1+k) \quad mod \quad 512 = 448(n+1+k)mod512=The smallest positive integer of 448 .
- Append 64-bit data length (unit is bit, stored in big-endian order. 1 can be inferred by observing the operation example in Appendix A of the original text of the algorithm standard.)
2. Message expansion
The iterative compression step of SM3 does not directly use data packets for operation, but uses the 132 message words generated by this step. (The length of a message word is 32 bits/4 bytes/8 hexadecimal digits) In summary, a 512-bit data packet is first divided into 16 message words, and used as the prefix of the generated 132 message words. 16. These 16 message words are then used to recursively generate the remaining 116 message words.
Among the final 132 message words, the first 68 message words form the sequence W j {W_j}Wj, the last 64 message words constitute the sequence W j ' W_j^`Wj‘, where the subscript j starts counting from 0.
3. Iterative compression
The iterative process of SM3 is similar to that of MD5, which is also a Merkle-Damgard structure. But unlike MD5, SM3 uses message words obtained by message expansion for calculations. This iterative process is illustrated below:
The initial value IV is placed in eight 32-bit variables A, B, C, D, E, F, G, and H. For its specific values, please refer to "SM3 Password Hash Algorithm" . The core and most complex part of the entire algorithm is the compression function. The compression function performs 64 rounds of the same calculation on these eight variables. The calculation process of one round is shown in the figure below:
Different data flow directions in the diagram are represented by arrows of different colors.
Finally, XOR the calculated A, B, C, D, E, F, G, H and the original A, B, C, D, E, F, G, H respectively, which is the output of the compression function . This output is used as the initial value the next time the compression function is called. And so on, until the last group of 132 message words is used up.
4. Output results
The output of the eight obtained variables A, B, C, D, E, F, G, and H is the output of the SM3 algorithm.